Title

The RUCKUS ICX layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links. (Cat II impact)

Discussion

VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim's switch port is a member.

Check Content

Examine the ports associated with the default VLAN. device#show vlans Total PORT-VLAN entries: 2 Maximum PORT-VLAN entries: 1024 Legend: [Stk=Stack-Id, S=Slot] PORT-VLAN 4505, Name DEFAULT-VLAN, Priority level0, On Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M2) Tagged Ports: None Mac-Vlan Ports: None Monitoring: Disabled device# If any 802.1q trunk interfaces (with tagged VLANs) also have the default VLAN assigned as the native VLAN (i.e., untagged), this is a finding.

Fix Text

If a trunk port (1/2/1 below) also has the default VLAN assigned as the native VLAN (i.e., untagged), remove that interface from the default VLAN. device# configure terminal device(config)# default-vlan-id 4505 device(config)# vlan 4505 device(config-vlan-4505)# no untag ethernet 1/2/1

Additional Identifiers

Rule ID: SV-273693r1110996_rule

Vulnerability ID: V-273693

Group Title: SRG-NET-000512-L2S-000012

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.